CWE-1236βImproper Neutralization of Formula Elements in a CSV File
PUBLISHEDweakness record
released 2020-02-24 Β· last modified 2025-12-11
Metadata
- CWE ID:
- CWE-1236
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Incomplete
- Release Date:
- 2020-02-24
- Latest Modification Date:
- 2025-12-11
Weakness Name
Improper Neutralization of Formula Elements in a CSV File
Description
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Common Consequences
- Scope:
- Confidentiality
- Impact:
- Read Application Data, Execute Unauthorized Code or Commands
- Notes:
- Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.